Migrate local group memberships between directories
This article only applies to Atlassian's server products. Learn more about the differences between cloud and server.
Please review Migrating Users between User Directories first before going through this KB article.
This process requires the use of a third-party plugin as well as a script that runs externally of a JIRA application. As such, this process is not officially supported by Atlassian and the information on this page is provided as-is.
When to use this KB
Currently Jira handles group membership separate per directory. We have this open suggestion to make local group membership applied globally across directories, but in the meantime this KB will help you migrate your group memberships between any combination of the following directory types:
Find out how easy, scalable and effective it can be with Crowd!
See centralized user management .
Step 1: Create a CSV of user-group relationships
First, you will need to create a CSV by exporting the username and group pairing of all users in your directory. You will need the directory ID for the source users and groups. To find out your directory ID, run the following query:
SELECT id, directory_name, description, directory_type FROM cwd_directory;
MySQL and Postgres queries are provided below that will create the proper output for the CSV file (It has to be a CSV file).
SELECT cu.lower_user_name, cg.lower_group_name FROM cwd_user cu JOIN cwd_membership cm ON cu.id=cm.child_id JOIN cwd_group cg ON cm.parent_id=cg.id WHERE cu.directory_id=<souce_directory_id> AND cg.directory_id=<souce_directory_id> INTO OUTFILE '/tmp/outfile.csv' FIELDS TERMINATED BY ',' ENCLOSED BY '' LINES TERMINATED BY '\n';
COPY ( SELECT cu.lower_user_name, cg.lower_group_name FROM cwd_user cu JOIN cwd_membership cm ON cu.id=cm.child_id JOIN cwd_group cg ON cm.parent_id=cg.id WHERE cu.directory_id=<souce_directory_id> AND cg.directory_id=<souce_directory_id> ) TO '/tmp/user-groups.csv' WITH CSV;
If you are migrating from and either of the LDAP-backed directories with local and external groups, and you do not want your LDAP groups added to your internal directory, add
cg.local='T' to your
WHERE clause. This is not necessary if your source directory is a standard internal directory.
The target group is case sensitive, but not the username. If you happen to have problem with the groups, you might want to change
The output of these queries should create a csv with content similar to the following:
admin,jira-administrators admin,jira-developers admin,jira-users
Step 2: Create your new directory and add users
The most common directories to migrate local memberships to are LDAP Directories with Local Groups or an Internal Directory with LDAP Authentication, but you can also use this method for a newly created Internal Directory. Once you have created your desired directory, you will need to meet the following prerequisites:
- The new directory must be moved to the top of the directory list in JIRA Administration >> User Directories.
All of the usernames that need their group memberships migrated need to already exist in the new directory. In an LDAP directory that supports syncing, this will happen automatically once you create the directory. For an internal directory, you will need to populate the directory manually. This can be accomplished via the CLI with the
addUserWithFileaction. Each line in your CSV will need to be in the format: user,password,email,fullName
You can alter the SQL statements above so that the select portion of the query pulls the necessary columns to create an addUser CSV. For example,
SELECT lower_user_name, 'password', email_address, display_name FROM cwd_user JOIN..., replacing password with any random string for a temporary password. Your users can then use the password reset option before logging into JIRA after the migration.
Step 3: Install the Atlassian CLI Tool
Download and install the Atlassian CLI plugin (via
Cog > Add-ons > Manage add-ons > Upload add-on)
Generate a new evaluation license through https://my.atlassian.com (MAC) and attach the license to make it work. Details on usage can be found on the JIRA CLI wiki page.
Download the CLI client from the page.
Step 4: Use the CLI to add users to their groups
These instructions were written for JIRA CLI version 5 and may need to be adapted to later versions.
The CLI tool has a built in action that will automatically add users to groups using a CSV. Run the following command from the CLI directory root directory:
./jira.sh --server <BASE_URL> --user "<username>" --password "<password>" --action addUserToGroupWithFile --file "/path/to/test.csv" --autoGroup
For Windows users, replace
jira.bat. Once the script has completed, you can move the new directory to any ordering you prefer. If you are unsure of how ordering your directories affects authentication and permissions, there is more information available in our doc on Managing Multiple Directories.
After migration, the users will need to login against the new directory before the user can receive any notifications, or be added as Participants or Watchers.